how twiggy saved sparky n.
Skip this Video
Loading SlideShow in 5 Seconds..
How Twiggy Saved Sparky PowerPoint Presentation
Download Presentation
How Twiggy Saved Sparky

How Twiggy Saved Sparky

78 Vues Download Presentation
Télécharger la présentation

How Twiggy Saved Sparky

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004

  2. Meet Twiggy Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data.

  3. Meet Robbie

  4. Robbie’s Setup walkAnimal(name) feedAnimal(name) petAnimal(name) call doAction(action, name)

  5. Evil Is Afoot If only I could modify the action for doAction…

  6. More on Robbie petAnimal(name) name action doAction(action, name) Disclaimer: This is simplified

  7. Evil Is Afoot petAnimal(“SPARKYEA”)… Sparky is mine!!!

  8. More on Robbie petAnimal(name) name action doAction(action, name)

  9. Sparky Senses Danger petAnimal(name) name action doAction(action, name)

  10. The Dreaded Double Pointer name action

  11. Evil Will Not Be Deterred name action

  12. Turn on the Twiggy-Signal

  13. Twiggy to the Rescue Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil… name action Modify Robbie’s code tomaintain hashes of all buffers: addr len hash Also stores data for name:

  14. Without Spoiling Your Day But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer.

  15. Stop That Modification! Check it before use: petAnimal(name) if(hash(_) != _) exit doAction(action, name)

  16. Dr. Evil Is Foiled Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key.

  17. But At What Cost? Hashes and checks can be computationally expensive Can Robbie feed Twiggy and Sparky on time?

  18. The Statistics

  19. Reduce the Cost Do we need to check all buffers? What about only checking buffers used as inputs to dangerous methods? (That’s all the buffers in our example, but likely far fewer than in the program) Can Twiggy use call-graph analysis to find those buffers?

  20. Did It Work? • Basic defense method protects buffers from modification. • Aliasing ignored. • Can we track down critical buffer values? • We’re still working on that. • But, for Twiggy, yes (this is supposed to be a happy story)

  21. Happily Ever After By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to new adventures.